Add windows role

Set up network interfaces and SSH for Windows hosts. We can’t gather facts before we know which remote shell to use, so first run a win_ping to determine if a given host is running Windows.
2025-05-09 17:03:53 +02:00 · 2025-05-09 17:03:53 +02:00 · 91de26af57
commit 91de26af57
parent aa78b407c8
7 changed files with 123 additions and 21 deletions
--- a/roles/windows/tasks/interface.yml
+++ b/roles/windows/tasks/interface.yml
@ -0,0 +1,12 @@
+- name: Rename interface
+  win_shell: >
+    Get-NetAdapter
+    | Where-Object -Property MacAddress -eq "{{ interface.mac_address | replace(':', '-') }}"
+    | Rename-NetAdapter -NewName "{{ interface.name }}"
+  changed_when: false # not really but we don’t care
+
+- include_tasks: interface_address.yml
+  loop: "{{ interface.ip_addresses }}"
+  loop_control:
+    label: "{{ interface.name }}"
+    loop_var: address
--- a/roles/windows/tasks/interface_address.yml
+++ b/roles/windows/tasks/interface_address.yml
@ -0,0 +1,22 @@
+- name: Add IP address
+  win_shell: >
+    New-NetIPAddress -InterfaceAlias {{ interface.name }}
+    -AddressFamily IPv{{ address.family.value }}
+    -IPAddress "{{ address.address | ipaddr("address") }}" -PrefixLength {{ address.address | ipaddr("prefix") }}
+  register: result
+  changed_when: "not result.stderr or 'Instance MSFT_NetIPAddress already exists' not in result.stderr"
+  failed_when: false
+
+- set_fact:
+    prefix: "{{ prefixes | selectattr('prefix', '==', address.address|ipaddr('subnet')) | first }}"
+
+- name: Set gateway
+  when: address.family.value == 4 and prefix.custom_fields.gateway
+  win_shell: >
+    New-NetRoute -InterfaceAlias {{ interface.name }}
+    -AddressFamily IPv{{ address.family.value }}
+    -DestinationPrefix {{ "0.0.0.0/0" if address.family.value == 4 else "::/0" }}
+    -NextHop {{ prefix.custom_fields.gateway.address | ipaddr("address") }}
+  register: result
+  changed_when: "not result.stderr or 'Instance MSFT_NetRoute already exists' not in result.stderr"
+  failed_when: false
--- a/roles/windows/tasks/main.yml
+++ b/roles/windows/tasks/main.yml
@ -0,0 +1,35 @@
+- include_tasks: interface.yml
+  loop: "{{ interfaces }}"
+  loop_control:
+    label: "{{ interface.name }}"
+    loop_var: interface
+
+- name: Disable SSH password authentication
+  win_lineinfile:
+    path: c:\ProgramData\ssh\sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: "{{ item.key }} {{ item.value }}"
+  loop:
+    - key: "PasswordAuthentication"
+      value: "no"
+    - key: "PermitRootLogin"
+      value: "prohibit-password"
+  notify: restart sshd
+
+- name: Set default shell to powershell
+  win_regedit:
+    path: HKLM:\SOFTWARE\OpenSSH
+    name: DefaultShell
+    data: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+  notify: restart sshd
+
+- name: Set authorized SSH keys
+  win_copy:
+    dest: C:\ProgramData\ssh\administrators_authorized_keys
+    content: "{{ ssh_keys | join('\n') }}"
+
+- name: Enable ssh
+  win_service:
+    name: sshd
+    start_mode: auto
+    state: started